Series 3 PROM Hack

[Narf54321]

Important Note: This method requires removing the SST37 PROM chip from the Series-3 motherboard, which is difficult and may end up rendering your (expensive) Tivo useless!

Inferring some info from the DT PROM hack thread, I managed to get some work done on the Series 3 TCD648 PROM v3.16. Like the SD Dual-Tuner model, the S3 has a compressed image as part of the bootup code. As mrpenguin describes in the other thread, First there is a check code you need to disable. For v3.16 PROM this should be at 0x6D4C.

Then you need to locate the gzip signature 1F 8B 08 (the 08 indicates max compression) within the binary PROM code which marks the compressed portion and save it out seperately from the rest of the PROM code for further editing. I did this by using the editor to delete everything before the gzip portion begins, and save as a new binary file. For v3.16 PROM this compressed portion should begin at 0xB5C8.

Then you must unpack this compressed portion, edit the hex, and recompress with gzip -9n. Be wary of compressor tools which want to add flags and comments to your re-compressed image since the original PROM has none of that. I don't know how well the S3 would handle extra cruft. I ended up using plain gzip within cygwin.

Use the editor to glue your newly compressed image back into the original PROM code at the same place the old image was. Save it and burn to a new chip.

Code:

First edit (hex):
Address  Orig_Value   Change_Value
0x6D4C	 04 40 00 12  00 00 00 00

Code:

Edit within gzip compressed portion:
Addr   Orig_Value   Change_Value
0x31B8 10 43 00 0A  10 00 00 0A

(Note that address 0x31B8 is from the beginning of the smaller binary file after you've chopped this piece of PROM clean away from the rest and uncompressed it. Be sure to re-compress with gzip -9n when you're finished here)

Added confusion since the target code 10 43 00 0A is found twice within the internal compressed image -- Once at 0x31B8 (which I edited) and another at 0x8BBC (which I left alone). Discussion on how important this might be can follow.

Once you've verified your S3 Tivo still boots, you can pull the drive and use mrblack's venerable replace_initrd on the hard drive's boot kernel.

[Narf54321]

So what actually works on a "hacked" S3? It's late and I haven't spent much more than a few minutes verifying telnet. I've only loaded AlphaWolf's All-in-One utilities (busybox and other useful stuff) and tried ls and vi. The busybox version of vi is of course still broken, but works well enough to edit files on the Tivo.

I'm guessing that a number of S2 MIPS programs will run.

EDIT: A couple more things found which work. TivoWebPlus 2.0 and caller-ID via TivoNCID. Also MFS_FTP runs with the same series-2 tweaks, although it seems to be of very limited usefulness right now.

[mr_zorg]

Awesome work! Now I may have to seriously think about upgrading to an S3... Time to research exactly what this box can and can't do.

P.S. Any chance of someone burning new PROMs for those of us that don't have the equipment to do so? For a small fee, of course...

[mrpenguin]

Great job! I bet you are psyched! you should be!

Congrats!

[DaytonaDave]

Great work!

I am curious -- is this prom socketed? I am ordering my S3 this week and look forward to trying this out.

Thanks,
DD

[stevel]

It is not socketed unless you socket it.

[Narf54321]

Removing (i.e. desoldering) the S3 PROM and installing a socket should be performed very carefully. There are little surface-mount components which are much closer to this chip on the S3 than on the previous model 2.5 "nightlight" and R10 motherboards.

[avpman]

No way to reprogram the chip in place I guess??

[Narf54321]

Tivo uses an SST37VF010 model PROM chip, which requires 12 volts on the A9 pin to erase for reprogramming. I don't know if Tivo supplies the required equipment to erase "in-line" at the higher voltage. And you run into the catch-22 issue of how to issue an 'erase' command if you haven't already exploited the box. And the fact that although there appears to be an official Tivo linux tool which can read from the PROM, Tivo doesn't seem to have included anything to write an image onto the PROM.

Seems to me rigging a wiring harness or something to reprogram the PROM on the motherboard is more difficult and potentially more dangerous to the board than simply socketing.

I've done a few sockets in my time, and I've always replaced the original chips with the SST39's which are erased and reprogrammed at ~3.3volts. Once socketed, you can boot into the fixed machine and theoretically use something like homieflash to do PROM updates.

[avpman]

I've been doing some research on the S3 board and chip. The chip is a 32pin PLCC form factor. A bit easier to work with than a (SMT) surface mount chip in the S2 series.

I've inquired among several commercial component level repair shops and the going rate to remove the S3 chip and replace it with a socket has so far been about $70-80 (provided I supply the socket). The prices quoted all seem to be the going minimum rate for an hour's work.

If someone is able to hack the code succesfully, I'll agressively pursue a shop to get the price down to something more reasonable. I would think something in the $40-50 range would be more palatible.

If you're brave enough to do it on your own, a company called Chipquik makes a kit for desoldering SMD chips. http://www.chipquik.com/newsletters/..._june_2004.htm I've written them to ask if their product will work equally as well on PLCC chips. PLCC chips are soldered through holes in the board. Surface mount chips sit on pads atop the board.

[Jamie]

Quote:

Originally Posted by avpman

I've been doing some research on the S3 board and chip. The chip is a 32pin PLCC form factor. A bit easier to work with than a (SMT) surface mount chip in the S2 series.

It's the same chip and form factor as the Series2. They are both surface mount PLCC-32. Here are some sources for parts.

Quote:

...
If someone is able to hack the code succesfully,
...

Narf already did that.

Quote:

...
PLCC chips are soldered through holes in the board. Surface mount chips sit on pads atop the board.

I think you are confused. Have you examined a Series3 motherboard?

[avpman]

Quote:

Originally Posted by Jamie

It's the same chip and form factor as the Series2. They are both surface mount PLCC-32. Here are some sources for parts.


Narf already did that.

I think you are confused. Have you examined a Series3 motherboard?

1) Do we have independent confirmation that Narf's hack has worked?

2) Can we get a way to get the code or someone willing to burn a PROM for further testing?

3) I'm willing to help in any way I can. I'll get the blank chips, sockets and a burner if someone can give me instructions on what to do. (I follow instructions well. And I'm fairly bright).

4) I opened my S3. I am looking at the chip in position U6 on the board. The sticker on the chip says "CBOM-0013-00 V3.16 rel". Underneath the sticker the chip is identified as an SST "37VF010-70-3C-NH". Curiously, there is an outine on the board for a socket. Am I looking at the right chip? If I'm not looking at the right chip, then disregard my self-assesment in comment #3 above

[Narf54321]

Quote:

Originally Posted by avpman

1) Do we have independent confirmation that Narf's hack has worked?

Ah, a scientist ... I see.
You don't necessarily have to take my word for it, but yes the PROM hack works (else I wouldn't have posted). I'm a bit hesitant to post actual binaries at this time, but there's nothing wrong with instructions for other owners.

Quote:

Originally Posted by avpman

2) Can we get a way to get the code or someone willing to burn a PROM for further testing?

You get the code off the original SST37 prom. And monkey it with a hex editor -- I used XVI32 myself.

As far as 'testing', the S3 behaves much like a MIPS S2 machine, there's just more RAM available. It seems to be pretty much the same Linux setup. TivoWebPlus 2.0 runs, but most of the modules don't work right.

Quote:

Originally Posted by avpman

3) I'm willing to help in any way I can. I'll get the blank chips, sockets and a burner if someone can give me instructions on what to do. (I follow instructions well. And I'm fairly bright).

I got one of those knockoff Willem programmers off eBay. It works well enough, just be sure you get one with the PLCC32 socket. Jamie even mentioned in another thread that there are cheap IDE controllers (SI I think) with programmable PLCC32 sockets.

Or an old S2 DirecTivo laying around already socketed, and use ADH's homieflash.

Personally, I recommend using the SST39's as replacement chips. The 37's require 12volts to reprogram and I've had trouble setting that up with my programmer. The 39's can be erased and reprogrammed easily at 3.3volts, and once installed should be able to be homieflashed in the future if needed.

A side note on sockets: Do NOT get the sockets with posts on the bottom. There are no holes on the Tivo board to fit them.

Quote:

Originally Posted by avpman

4) I opened my S3. I am looking at the chip in position U6 on the board. The sticker on the chip says "CBOM-0013-00 V3.16 rel". Underneath the sticker the chip is identified as an SST "37VF010-70-3C-NH". Curiously, there is an outine on the board for a socket. Am I looking at the right chip? If I'm not looking at the right chip, then disregard my self-assesment in comment #3 above

Yeah, its nice they masked off the socket area already for us, isn't it. It's the same SST chip they've used in the S2, and the S1 before that.

According to the sticker, you've got the v3.16 release, which is good. My instructions (see first post) rely on the 3.16 PROM code, so if Tivo ships out a newer code version the exact hex locations will likely be different.

[avpman]

Check your PM - Thanks

[pmiranda]

They probably used sockets for the prototypes so they could swap ROMs quickly for debug.
Hmm... I've got a really early S3, I wonder if it has a socket... Even basic web control of it would be nice... being able to take a few shows with me on the road would be really nice.
Just 35 weeks until my warranty expires.